Compliance with Laws and Policies
Users must comply with all applicable federal, state, and local laws, as well as Del Mar College policies and procedures, when using college information system assets and networks. This includes, but is not limited to, copyright laws, intellectual property rights, privacy laws, and laws pertaining to the use of technology resources.
Ethical Use
Del Mar College promotes a culture of ethical conduct and responsible behavior in the use of computing assets, emphasizing considerations for maintaining a respectful and inclusive digital environment within the College community. Users are expected to uphold the highest standards of integrity, honesty, and professionalism in their digital interactions, communications, and contributions.
Protection of College Systems and Data
To maintain the ongoing security and integrity of the College’s information systems and data, Del Mar College has established roles and responsibilities in accordance with State regulations as follows:
Information Owners:
Classification and Access Control: Information owners are responsible for classifying information under their authority in accordance with the Del Mar College Data Classification Procedure. They must approve and periodically review access to these resources, making control decisions based on documented risk management standards.
Security of Data and Systems: Assign custodianship of information resources appropriately and coordinate with the Information Security Officer (ISO) to ensure alignment with the College’s security control requirements.
Exception Management: Justify, document, and maintain accountability for any exceptions to required security controls in consultation with the ISO.
Information Custodians:
Implementing Controls: Responsible for the implementation of security controls to safeguard information resources as directed by Information Owners and the ISO, and in compliance with the College’s policies and procedures, applicable regulatory requirements, and industry standards.
Monitoring and Incident Response: Utilize approved monitoring to detect and promptly report security incidents. Respond to incidents and threats in accordance with College Incident Response (IR) procedures.
Information Users:
Compliant Usage: Only use College information resources for authorized purposes as specified by the College, Information Owner directives, and ISO instruction. Ensure compliance with all applicable security controls, laws, regulations, and College policies and procedures, to prevent unauthorized access, disclosure, modification, or destruction of information, and protect against damage to information systems.
Data Classification: Per the Del Mar College Data Classification Procedure.
Critical Data: Data that can result in criminal or civil penalties if inappropriately handled. This is the highest level of classification for data, and use is limited to explicitly designated individuals with a stringent business requirement.
Confidential: Data that is restricted because of legal, ethical, or other constraints, and may not be accessed without specific authorization. Improper release would have a significant adverse impact to the College and may be subject to notification requirements.
Protected Information - Data: Confidential, Critical, and Personally Identifiable Information (PII) (electronic and paper).
Prohibited Use: Del Mar College prohibits engaging in any activity that compromises the privacy, confidentiality, availability, or security of the College’s systems, accounts, data, or communications. Prohibited activities include:
- Unauthorized access, monitoring, or use of the College’s systems or data.
- Unauthorized disclosure, alteration, or destruction of the College’s data.
- Impersonation of others or forging electronic communications.
- Attempts to breach or bypass security measures of the College’s information systems.
- Sharing critical or confidential information without proper authorization.
Data Physical Security: This section outlines data physical security at the College. The following controls protect assets and secure data in physical workspace:
Clean Desk: Employees must secure protected documents and electronic devices when not in use, particularly after business hours or when desks are unattended. Protected materials should be out of sight and locked up when not in use.
Physical Access Control Systems: Spaces containing protected information must have suitable physical access control systems to prevent unauthorized entry. Access must be restricted to authorized personnel based on their specific roles and the need to access sensitive information.
Surveillance Systems: Surveillance measures should be implemented around sensitive data storage areas to monitor activities in accordance with Del Mar College policies.
Physical Barriers: Implement gates, fencing, and secured doors to prevent unauthorized physical access to areas housing protected data.
Environmental Controls: Climate control systems must be implemented and regularly maintained to protect equipment and paper records from extreme temperatures and humidity.
Physical Barriers: Intrusion detection systems will be implemented in accordance with Del Mar College policies.
Data Destruction: Data destruction is essential for ensuring that critical and confidential information is completely irretrievable when it is no longer needed. This process helps protect against data breaches, unauthorized access, and ensures compliance with various legal and regulatory requirements. See Board Policy B3.19 Records Management Policy for more information.
Responsibility: All Del Mar College departments and employees must securely destroy confidential and critical data under their responsibility when it is no longer needed. Additionally, all departments and employees must adhere to all relevant State regulations concerning data retention and destruction.
Scope: This policy applies to both paper/hard copy and electronic data.
Requirements: All critical and confidential data eligible for destruction must be destroyed in accordance with Texas State regulations as follows:
- To ensure electronic records eligible for destruction are disposed of in a manner that ensures protection of confidential or critical information, data must be rendered unreadable or indecipherable by shredding, cryptographic erasing, or other destruction method that renders data unrecoverable.
- Electronic storage media used for electronic records containing confidential information cannot be reused if the previously recorded information can be compromised in any way through reuse.
- Paper records and optical media: destruction methods include burning, shredding, pulping, or burial in a landfill.
- Electronic records: destruction methods include degaussing, shredding, pulping, cryptographic erasure, or incineration.
Information System Assets: DMC Information Technology is responsible for the secure destruction and disposal of hard drives and other media pulled from computers, servers, printers, and other devices in accordance with State regulations as follows:
Responsibility: IT must ensure that all hard drives and electronic media are securely destroyed when they are no longer needed.
Compliance: All media destruction must comply with State laws and regulations.
Destruction:
Hard Drives and Electronic Media: Destruction methods include shredding, degaussing, cryptographic erasing, or incineration to ensure data is unreadable or indecipherable.
Optical Media: Destruction methods include shredding or incineration.
Secure Handling: Electronic storage media used for records containing confidential information cannot be reused if the previously recorded information can be compromised through reuse.
Documentation: DMC Information Technology must document the destruction process, including the methods used and confirm that data has been rendered unrecoverable.
Incident Reporting: Any incidents related to improper data destruction must be reported immediately to DMC Information Technology.
Detachable and Optical Media:
Definitions: External detachable and optical media refer to portable storage devices used to store, transfer, and access data.
Detachable Media: Includes USB drives, external hard drives, memory cards, and other portable storage devices. This also includes storage on smartphones.
Optical Media: Refers to CDs, DVDs, Blu-ray discs, and other similar media used for data storage.
Usage: The use of external detachable and optical media at the College is permitted with the following conditions:
Authorized Use: Only college-approved media shall be used for work-related activities.
Prohibited Actions: The following actions are prohibited.
Download or store non-work-related content on college devices.
Insert or connect personal detachable or optical media into college devices to include smart phones.
Download or store college data on personal detachable or optical media.
Insert college-authorized detachable media into unknown devices such as personal, shared, or public computer devices.
Download or store any college data on detachable or optical media without authorization.
Faculty or staff that require the use of detachable or optical media to perform their job or teaching duties must contact DMC Information Technology for assessment and provisioning of properly configured media sourced from a reputable manufacturer and with appropriate encryption installed.
Data Security: The following data security controls apply to the use of detachable and optical media use at the college.
End Points: College end points used to connect detachable or optical media must have approved end-point protection (antivirus) installed.
Environmental: Ensure detachable and optical media are protected from extreme heat and humidity.
Backup: Detachable media is known to be unreliable for long-term storage. Ensure secure backups of data are maintained on reliable information system storage media.
Encryption: All critical and confidential data stored on detachable and optical media must be encrypted in accordance with State of Texas cryptographic protection requirements.
Physical Security: Detachable or optical media containing protected data must always be secured.
Never leave unattended media unprotected. Ensure the media is securely locked away.
Refer to Data Physical Security and Data Destruction provisions listed earlier in this policy for additional instructions.
Access Control Permissions:
Storage or transport of college data on detachable or optical media requires authorization by the responsible Information Owner as defined earlier in this policy.
Authorization must be based on the necessity for the employee's role and specific job functions.
Incident Reporting:
Lost or Stolen Media: Lost or stolen detachable or optical media must be reported immediately to DMC Information Technology Help Desk.
Data Breach: Any suspected or confirmed data breach involving detachable or optical media must be reported to DMC Information Technology immediately. This includes unauthorized access, disclosure, or loss of protected data.
Disposal: Erasure of data and disposal of detachable or optical media shall be done in accordance with Data Destruction provisions listed earlier in this policy.
Internet Use
Internet and network access provided by the College is designated for college-related activities and is available to employees, students, and guests. All users are required to use these resources responsibly and ensure that their actions do not compromise privacy, confidentiality, availability, or security of the College’s information systems or data.
Prohibited Internet activities include, but are not limited to:
Cyberbullying, Harassment, and Stalking: Engaging in any form of cyberbullying, harassment, or stalking.
Illegal or Pirated Materials: Accessing, downloading, or distributing illegal or pirated materials, including copyrighted content without authorization.
Privacy Violations: Violating the privacy or confidentiality of others, including unauthorized monitoring, or accessing others' accounts, data, or communications.
Fraudulent Activities: Participating in any form of online fraud, phishing, scamming, or any other illegal activities.
Inappropriate Content: Posting or sharing defamatory, obscene, or offensive content.
Security Breaches: Compromising the security or integrity of the College’s information systems or networks, such as hacking, spreading malware, or attempting unauthorized access.
Service Agreement Violations: Violating the terms of service or acceptable use policies of any website, online service, or application.
Unauthorized Media Activities: Engaging in unauthorized downloading, streaming, or sharing of media files that may cause network congestion or negatively impact network performance for others.
Commercial Use: Using College Internet resources for personal financial gain or commercial activities without express permission from the College’s authorities.
Excessive Personal Use: Engaging in excessive personal use of the Internet that interferes with work or academic responsibilities.
Electronic Communications and Email
Ownership and Retention: All electronic communications, including College email and electronic chat, sent or received by users while conducting College business, are considered property of Del Mar College and the State of Texas. These communications are subject to Texas State records retention and security requirements.
User Responsibilities: Users must comply with all applicable laws, regulations, and College policies regarding email use.
Personal Use: Users should avoid personal use that interferes with work or academic responsibilities.
Official Business: Users must utilize College-provided email and communication accounts, rather than personal accounts, for conducting official College business.
Attachments: Attach only necessary files and ensure they do not contain malicious content.
Etiquette: Do not use the reply-all option with large distribution lists.
Reporting Incidents: Any suspected email security breaches or incidents must be reported immediately to Information Technology Services.
College Wide Email: Only authorized personnel are allowed to send College-Wide emails and announcements, or other mass electronic communications.
Prohibited Activities: The following activities are prohibited when using official College electronic communications and email accounts:
Impersonation: Sending messages under another individual’s name or email address, except when expressly authorized by the owner of the account.
Unauthorized Access: Accessing the content of another user's electronic communications except.
- As part of an authorized investigation.
- As part of approved monitoring.
- For purposes specifically authorized as part of a user’s official duties.
Fraudulent Activities: Participating in any form of online fraud, phishing, scamming, or any other illegal activities.
Cloud Storage
Del Mar College provides cloud storage and collaboration platforms, such as OneDrive and SharePoint, to facilitate the academic and administrative needs of employees and students. These platforms are intended to support College-related activities and must be used in compliance with all applicable laws, regulations, and College policies and procedures.
Authorized Cloud Storage Platforms
Del Mar College Managed OneDrive: Officially approved for storing and sharing Del Mar College data.
Del Mar College Managed SharePoint: Approved for collaboration and document management within the College.
Personal Cloud Storage: Use of personal cloud storage or other unauthorized collaboration platforms to store, transmit, or otherwise interact with the College’s data is prohibited.
Third-Party Data Transfer and Sharing: Use of cloud storage to facilitate data transfers and sharing using solutions hosted by a third-party partner or vendor is authorized under the following conditions:
Approval and Agreements: The third-party partner or vendor must be approved for data sharing. This includes having all necessary contracts and agreements in place, along with completion of security assessments.
Compliance with Laws and Policies: All data transactions must comply with applicable laws and regulations governing the protection of State data, as well as Del Mar College policies and procedures.
Data Management and Protection: College-owned data shared with authorized third parties must be managed in accordance with State retention regulations and College data protection policies. Users must ensure that data integrity, confidentiality, and availability are maintained.
Account Credential Security
Protecting the security and integrity of system user account credentials is crucial to maintaining a secure computing environment. System access account credentials, including usernames, passwords, and any other authentication information, are personal and shall not be shared or disclosed to anyone. It is the account credential holder’s responsibility to ensure the confidentiality and security of their account credentials.
System account holders are responsible for the following:
Keep account credentials confidential and secure. Do not share them with others, including friends, colleagues, or family members.
Create strong and unique passwords for accounts. Avoid using easily guessable passwords or reusing passwords across multiple accounts.
Change passwords periodically, especially if you suspect unauthorized access or compromise.
Multi-Factor Authentication (MFA) is required to be used on all systems where specified.
Immediately report any suspected or actual unauthorized use or disclosure of your account credentials to DMC Information Technology.
Network and Wireless Use
This policy governs the use of networks and wireless services provided by Del Mar College. It outlines the responsibilities and expectations for users accessing the network and emphasizes the importance of adhering to acceptable use requirements to ensure a secure and reliable wireless environment.
Access and Authentication:
Access to the wireless network is available to students, staff, and authorized guests. Protected logins are required for students and staff to access the network. Users must authenticate themselves with their assigned credentials to gain network access.
Guest access is provided for visitors and guests of Del Mar College. Guest users are required to comply with this Acceptable Use Policy (AUP), and any additional requirements provided by Del Mar College.
Compliance and Legal Requirements:
Users of the wireless network must comply with all applicable laws, regulations, and College policies.
Privacy and Monitoring:
All network communications over the wireless network should be considered non-private and non-protected. Users should not assume that their communications are secure or confidential.
Del Mar College reserves the right to monitor network communications to ensure compliance with this policy and to maintain the security and integrity of the network.
Network Usage and Conduct:
Users must refrain from any activities that may disrupt or interfere with the access and usage of the wireless network by other users or networks.
Del Mar College reserves the right to block, suspend, or terminate access to the wireless network at any time for any reason, including but not limited to violations of this policy, actions that may lead to liability for Del Mar College, disruption of network access, or violation of applicable laws or regulations.
User Responsibilities:
Users are responsible for ensuring the security of their devices connected to the wireless network. This includes keeping their devices updated with the latest security patches, using strong and unique passwords, and employing appropriate security measures such as firewalls and antivirus software.
Users must not attempt to circumvent or disable any network security measures implemented by Del Mar College.
Remote Access: The College provides secure remote access to internal IT resources as needed based on the necessity for the employee's role and specific job functions.
Requirements: All remote access requests require the following:
A business case detailing why remote access is required to include resources the user needs to access.
Requests must be approved by the employees Department Head, Chair, or higher, the Deputy CIO, and Information Security Officer.
Users must have successfully completed the current State approved annual cyber training and policy review.
Remote access must be configured securely and used in accordance with the College’s policies and applicable regulations.
Secure remote access client software and connections restricted to the College’s managed IT assets.
The use of Multi-Factor Authentication with remote access required where specified.
Access Revocation: Failure to comply with the College’s policies or maintain annual cyber security training requirements will result in the revocation of remote access privileges.
Software and Application Installation and Use
Authorized Staff Only: All software and application installations on college-managed IT assets can be performed by authorized staff only.
Security Assessed and Approved: Only security assessed and approved software and platforms are permitted to be installed on college-managed devices.
Additional Policies: Refer to the Prohibited Technologies and TX RAMP sections of this policy for additional instructions on permitted software and cloud platforms.
Cyber Security Training and Policy Review
Annual Cyber Security Training: In accordance with state regulations, all state employees who have access to state government computer systems or databases must complete a state approved cybersecurity training program annually.
Per regulations, elected or appointed officials must complete State approved cybersecurity training annually.
Contractors, including subcontractors and employees of contractors, who have access to state computer systems or data, must complete a State approved cybersecurity training program annually. The training must be completed during the term of the contract and any renewal periods.
The ISO or designated college representative shall report the completion of cybersecurity training for all personnel and contractors to the State by the specified deadline.
Annual Acceptable Use Policy (AUP) Review: All college employees with access to information resources must review the AUP annually. This ensures they remain informed about their responsibilities and any updates to the policy. During this review, employees must affirm their understanding to comply with the AUP.
Prohibited Technologies
To maintain a secure computing environment and ensure compliance with state and federal regulations, Del Mar College strictly prohibits the installation, access, or use of software, applications, web resources, and hardware originating from countries classified as adversaries by state and federal mandates on all college computing assets and networks.
Prohibited Technologies Use: Users are prohibited from installing, accessing, or using any software, applications, web resources, or hardware listed on the Prohibited Technologies List while using state computing assets, networks, or when accessing or storing state data. This includes all technologies explicitly banned by state or federal mandates, such as the Texas Governor’s directive banning the use of TikTok on state computing assets.
Scope Restriction: The Prohibited Technologies restriction does not apply to personal assets or personal internet provider networks, provided they do not store or access state data.
Compliance and Enforcement: Refer to the Del Mar College Prohibited Technologies Security framework for detailed instruction on security controls and exceptions.
Technology Security Assessments and Texas Risk and Authorization Management Program (TX RAMP)
Technology Purchases and Security Assessments: For detailed instructions relating to mandatory technology security assessments and understanding technology purchase requirements, refer to procedure C2S3HD7 Technology Purchases.
TX RAMP: In alignment with state regulations and to ensure the security of our cloud resources and data, all cloud platforms that store, process, or transmit state-owned data must comply with TX-RAMP requirements.
Vendor Certification Requirements: All vendors contracted to provide cloud computing services must have full or provisional TX RAMP certification prior to executing or renewing any cloud computing services contract. This requirement applies to all contracts initiated or renewed on or after January 1, 2022.
Ongoing Compliance Requirement: All vendors providing cloud computing services must maintain continuous compliance with TX RAMP standards throughout the duration of their contract. This includes undergoing periodic reviews and renewals of certification with the Texas Department of Information Resources (DIR).
Use of Artificial Intelligence (AI) Enabled Systems and Generative AI
Annual Report: The college is required to submit an annual report to the state detailing the use and management of all automated decision systems. This report must include descriptions of system functionalities, data processing methods, adherence to security standards, and associated financial impacts.
Each department must submit an annual inventory report detailing all automated decision systems utilized for educational and administrative functions used by the college.
DMC Information Technology will provide guidelines for the report format and submission.
Scholastic Use: Refer to the Del Mar College Manual of Policies and Procedures A7.13.7.7 Artificial Intelligence (A.I.) Created Worked.
Production Use: Refer to policy Use of AI Enabled Systems and Generative AI.